When an update is sent directly to a data DSA marked as "shadow", the DSA will refuse to process the update, and will generate the following error:
-> #0 LDAP ADD-ENTRY-REFUSE
invoke-id = 12 credit = 1
Service Error: Directory unwilling to perform
A dsa-flag of "Shadow" indicates to a CA Directory backbone that the DSA can only process updates received from other multi-write DSA's. A "shadow" DSA cannot execute update operation sent directly to it from either CA Directory routers or LDAP clients. Any operations sent directly to it from router DSAs or LDAP clients will be refused.